Clustering iChain 1.5

The BIG Note

Clustering on the iChain 1.5 server only allows us to cluster and accelerate services without SSL or authentication. This has been solved in iChain 2.0, so this workaround will tide you over until you can upgrade. This solution is achieved by having the cluster configuration point to itself instead of a web server. By going to itself, the iChain/ICS server will then be able to use authentication and SSL.

This clustering has only been tested (not extensively) as hardware fail over, but theoretically it should work with load balancing also as long as a persistent connection is maintained to the box to which someone authenticated.

In order for clustering to work with iChain it is required that you have SSLizer enabled for all of your services configured under the Web Accelerator tab of the ICS admin GUI or you will get reprompted indefinitely to login. It is also required that you have iChain SP1 and Field Patch 1 (preferably FP2). Without the field patch your logout will not work. It is necessary to have your logout redirect you to port 443. Your redirect URL should look like this:

http://<ICS DNS Name>:443/cmd/BM-Logout

If you try to logout using port 80 or 1959 it will not work, and by clicking the back arrow you will have access to the pages that you supposedly logged out of.

The BIG iChain/ICS Server Configuration

Your iChain/ICS servers will need to be configured exactly the same except for the network IP Addresses that they are bound to. The following is a list of configurations for the iChain/ICS Servers that I am using:

(NOTE: This is the DNS name that the cluster will send to the iChain/ICS Server and not the DNS name that resolves to this IP Address of the iChain/ICS Server)

-Accelerator IP Address: 151.155.164.152

-Port: 80

-Web Server Addresses: 10.1.1.3

-Port: 80

-Authentication Options: Enabled

-LDAP Authentication Profile

-Forward Authentication? Enabled (optional)

-Authenticate only when...Enabled (optional)

-Enable SSLizer: Enabled (Required)

-SSL Listening Port: 443

IChain/ICS Server 2:

-Network>IP Address

-Eth0: 151.155.164.153

-Eth1: 10.1.1.2

-Cache>Web Server Accelerator

-Name: 153nsrd

-DNS Name: 155.nsrd.lab.novell.com

(NOTE: This is the DNS name that the cluster will send to the iChain/ICS Server and not the DNS name that resolves to this IP Address of the iChain/ICS Server)

-Accelerator IP Address: 151.155.164.153

-Port: 80

-Web Server Addresses: 10.1.1.3

-Port: 80

-Authentication Options: Enabled

-LDAP Authentication Profile

-Forward Authentication? Enabled (optional)

-Authenticate only when... Enabled (optional)

-Enable SSLizer: Enabled (Required)

-SSL Listening Port: 443

The BIG Cluster Setup

When configuring the cluster tab make sure that you configure the box with the lowest bound IP Address last. This box will act as the main box to direct traffic. The cluster tab must be configured identically on all boxes. If the clustering tabs are initially configured differently they will overwrite your configuration with the configuration of the main iChain server.

Go to your cluster tab and check the Enable Cluster box.

Give your cluster a name.

Make sure that you are on the correct subnet for your servers.

Under Servers click insert and then specify a Name, IP Addresses, Role, and capacity for each of the iChain/ICS servers that will participate in the cluster (see the HELP on the ICS admin GUI for an explanation of role and capacity). The servers will use these IP Addresses to talk back and forth and coordinate who gets what and when.

The final thing to do is to add services to your cluster tab. It is necessary to add two services for each Web Server Accelerator you have configured under your Web Accelerator tab. The first will be setup to correspond to your proxy/server port usually 80 and the second will correspond to your SSL listening port, in this case 443.

Under the Services section click Accelerator.

Give your accelerator service a Name.

Specify the DNS name. This is the DNS name that the users will use to access the iChain/ICS box. This DNS name should resolve to an IP Address that isn't bound to any of the boxes.

For your Accelerator port specify the port according to which port you used for your proxy/server port of your Web Server Accelerator configuration.

Your web server port will be the same as your Accelerator port.

Your Accelerator IP Address will be the IP Address that your cluster DNS Name will resolve to and none of the servers are bound to.

The Web Server Name/IP Address is the DNS name that we used for our cluster (155.nsrd.lab.novell.com).

In your etc/hosts file of each iChain/ICS Server you will need to have the DNS name resolve to the iChain/ICS Server that you are configuring. For example, in the hosts file of Server1 it would have 155.nsrd.lab.novell.com resolve to 151.155.164.152, and on Server2 155.nsrd.lab.novell.com would resolve to 151.155.164.153.

Click OK and then add another accelerator with the same information but the ports will be the same as your SSL listening port.

Once you have finished click Apply.

You will need to configure the cluster tab on each of the iChain/ICS servers exactly the same. The following is an example configuration of two iChain/ICS boxes participating on the same cluster. Remember, iChain/ICS Server 2 needs to be configured first.